In this post I will analyze one on the ELF files captured on my honeypot. First, a dynamic analysis will be performed. Once we aknowledge it's behaviour we will move onto a more in-deep static analysis.

Amongst all the files captured in my honeypot all had a common thing: they were executables. All but one. A single lonely C source file. Naturally, this caught my attention, so I decided to read the source code.

After all, it was a rudimentary port scanner by someone going by the alias of Lupu to scan B-class networks. What really got my attention was this line of code:

strcpy(argv[0],"/bin/bash");

That... can not work, right? I mean, is really Linux going to report my process as being the obviously innocuous bash shell just because I

If you want to have a look of what's been downloaded in my honeypot over these months you can now.
In this period of time over 15.000 files have been downloaded, the majority of them being empty files due to bad redirects or malware servers being down. After cleaning up the empty files I'm left with 215, which are available for download here.
The site is password protected but if you want in you can contact me using the contact form found in my landing page or drop a comment below.

Have you ever wondered how much of a threat is having a server exposed to the internet?

I own a server on a public IP that does serve HTTP + SSH, mainly for testing projects, had no domain names pointing to it until a week ago and it is not linked by any other machine (not that I know of). I have had hardened the ssh service with iptables, rate limiting and a more stric ssh configuration. Still it didn't feel safe, as services like shodan do exist.